How to extend the validity of Astra's Pentest Certificate?

Last updated: June 8, 2026

Introduction

After a successful penetration test, Astra issues a publicly verifiable Pentest Certificate that is valid for 180 days. As your certificate approaches expiry, you have options to extend its validity without necessarily commissioning a full new pentest — provided certain conditions are met. This article explains both extension methods, when each applies, and what to expect from the process.

Who Should Read This

This article is for security leads, compliance officers, and anyone responsible for maintaining an active and valid Pentest Certificate for their organisation. It is particularly relevant if your certificate is approaching its expiry date or has expired within the last 20 days.

Understanding Certificate Validity

Before choosing an extension method, it helps to understand how certificate validity works on the Astra platform.

Status

Meaning

Action Required

Active

Certificate is valid and within its 180-day window

None — monitor expiry date

Expiry in 30 Days

Certificate is still valid but approaching expiry

Plan and initiate extension soon

Expired

Certificate is no longer valid

Extension or new pentest required

A 20-day grace period applies beyond the initial 180 days during which you can still request a certificate extension. After this grace period, a new pentest is required regardless of which extension method you choose.

Prerequisites

Before initiating a certificate extension, confirm the following:

  • Your current Pentest Certificate was issued within the last 180 days for Option 1 (Vetted Scan), or within the last 200 days including the grace period.

  • Your Astra subscription is active.

  • You understand that if any critical, high, or medium severity vulnerabilities with exploitation potential are found during the vetted scan, these must be resolved before the extension can be issued.

  • If your application has undergone major releases, significant new features, or a complete version overhaul since the last pentest, you will need to proceed with Option 2 (New Pentest) regardless of certificate age.

Option 1: Request a Vetted Scan (Certificate Within 180 Days)

If your Pentest Certificate was issued within the last 180 days, you can extend its validity by an additional 180 days — or until the end of your current subscription, whichever comes first — by requesting a vetted scan.

A vetted scan assesses any new features or changes developed since the last pentest. Astra's security engineers review the results and, if no blocking vulnerabilities are found, issue the certificate extension.

Steps to Request a Vetted Scan

  1. Log in to your Astra dashboard.

  2. Navigate to the Continuous Scans page from the left sidebar.

  3. Locate the automated scan associated with your target.

  4. Click on the scan to open the scan settings.

  5. Select Request Vetting from the available options.

  6. Confirm your request.

Astra's security engineers will review the scan results. Once the review is complete and no blocking vulnerabilities are identified, your certificate validity will be extended by an additional 180 days.

Expected outcome: Your certificate expiry date is updated in the Certificates page of your dashboard, reflecting the new 180-day validity window.

What Can Block a Certificate Extension

If the vetted scan identifies any of the following, you must resolve them before the extension can be issued:

  • Critical severity vulnerabilities with exploitation potential

  • High severity vulnerabilities with exploitation potential

  • Medium severity vulnerabilities with exploitation potential

Once the identified issues are fixed and confirmed, the extension will be processed.

Option 2: Undergo a New Pentest (Certificate Over 180 Days)

If your Pentest Certificate is more than 180 days old — including beyond the 20-day grace period — you will need to complete a new pentest to obtain a fresh certificate. This ensures Astra's engineers can conduct a comprehensive reassessment of your application before issuing a new certification.

A new pentest is also required regardless of certificate age if your application has experienced:

  • A major new release or version update

  • Significant new features added since the last assessment

  • A complete architectural overhaul or infrastructure change

These scenarios require a fresh comprehensive assessment to ensure the certificate accurately reflects the current state of your application.

Steps to Initiate a New Pentest

Option A: From the Dashboard

  1. Log in to your Astra dashboard.

  2. Navigate to the Targets page.

  3. Click the Add New Target button.

  4. Follow the target setup flow to configure your application for a new pentest.

Option B: Via the Sales Team

If you would prefer guidance on scoping and scheduling your new pentest:

  1. Contact Astra's sales team at sales@getastra.com.

  2. Provide details about your application scope and any changes since the last assessment.

  3. The team will assist with scheduling and configuration.

Choosing the Right Extension Method

Scenario

Recommended Option

Certificate is under 180 days old, minor updates since last pentest

Option 1: Vetted Scan

Certificate is under 180 days old, major new features added

Option 2: New Pentest

Certificate is between 180 and 200 days old (grace period)

Option 1: Vetted Scan (act quickly)

Certificate is over 200 days old

Option 2: New Pentest

Application has undergone a complete version overhaul

Option 2: New Pentest

How to View Your Certificate Status

You can check the current validity status of all your certificates from the Certificates page in your dashboard.

  1. Log in to your Astra dashboard.

  2. Navigate to the Certificates page from the left sidebar under the Manual Pentesting section.

  3. Review the Valid Till column for each certificate.

  4. The status column will show Active, Expiry in 30 Days, or Expired for each certificate.

You can also download your certificate or generate a public verification link directly from this page. See [Understanding publicly verifiable pentest certificates by Astra] for details on how to share and verify certificates with external parties.

Best Practices

  • Start the extension process before your certificate expires. Initiating a vetted scan takes time, and if blocking vulnerabilities are found, you will need additional time to resolve them. Do not wait until the last few days of validity.

  • Schedule regular automated scans between pentests so that new features and code changes are continuously monitored. This reduces the likelihood of blocking vulnerabilities appearing during the vetted scan review.

  • Respond promptly to renewal outreach from your CSM. Your Customer Success Manager will contact you before your certificate expires to coordinate the renewal process. Timely responses help avoid any gap in certification.

  • Plan for a new pentest if you know a major release is coming. Aligning your pentest timing with significant product releases ensures your certificate reflects the most current version of your application.

  • Address medium and above severity vulnerabilities promptly. Unresolved medium, high, or critical vulnerabilities can block your certificate extension. Keeping your vulnerability backlog clean makes renewals significantly smoother.

Troubleshooting

I requested a vetted scan but my certificate has not been extended yet. The extension is issued after Astra's security engineers have reviewed the scan results. This typically takes a few working days. If blocking vulnerabilities were identified, you will need to resolve them first. Check your dashboard for any open vulnerability findings from the vetted scan and address them before following up.

My certificate expired before I could request a vetted scan. What are my options? If you are within the 20-day grace period beyond the 180-day validity, you can still request a vetted scan to extend the certificate. If the grace period has also passed, a new pentest is required. Contact your account manager or raise a support ticket to discuss the fastest path to a new certificate.

The vetted scan found blocking vulnerabilities. How long do I have to fix them? There is no hard deadline for fixing blocking vulnerabilities, but your certificate remains expired or unextended until they are resolved and confirmed. Prioritise addressing critical and high severity findings first and mark them as ready for review in your dashboard once fixed.

I am unsure whether my application changes warrant a new pentest or a vetted scan. If you are uncertain, err on the side of a new pentest for comprehensive coverage. You can also raise a support ticket describing the changes made since your last assessment and our team will advise on the appropriate path.

I cannot find the Request Vetting option in my scan settings. The Request Vetting option is only available for scans on targets that have an active Pentest Certificate within the 180-day validity window. If your certificate has expired or the option is not visible, check your certificate status on the Certificates page and raise a support ticket if you believe this is an error.

Next Steps

  • [Overview of Certificates page] — View all certificate statuses and download or share your certificates

  • [Understanding publicly verifiable pentest certificates by Astra] — Learn how to make your certificate publicly verifiable and share it with stakeholders

  • [When Should I Renew My Penetration Testing Certificate?] — Understand the recommended renewal timeline and process

  • [What are the different statuses available for certificates?] — Detailed breakdown of certificate status definitions

  • [How much time does a Pentest (VAPT) take?] — Plan your timeline if a new pentest is required